Skip to main content

Libcoap CVE-2026-29013

| EUVDEUVD-2026-23535 HIGH
Out-of-bounds Read (CWE-125)
2026-04-17 VulnCheck
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 20, 2026 - 17:52 vuln.today
cvss_changed
Analysis Generated
Apr 18, 2026 - 00:18 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 21:45 euvd
EUVD-2026-23535
Analysis Generated
Apr 17, 2026 - 21:45 vuln.today
Patch released
Apr 17, 2026 - 21:45 nvd
Patch available
CVE Published
Apr 17, 2026 - 21:11 nvd
HIGH 8.8

DescriptionCVE.org

libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled with NDEBUG. Attackers can send crafted CoAP requests with malformed OSCORE options or responses during OSCORE negotiation to trigger out-of-bounds reads during CBOR parsing and potentially cause heap buffer overflow writes through integer wraparound in allocation size computation.

AnalysisAI

Out-of-bounds read in libcoap's OSCORE CBOR parsing can escalate to heap buffer overflow, enabling remote unauthenticated attackers to trigger memory corruption via malformed CoAP packets. Affects libcoap versions prior to v4.3.5b. The vulnerability stems from release builds removing assert() bounds checks in get_byte_inc(), allowing integer wraparound during allocation size computation. No public exploit identified at time of analysis, but proof-of-concept is straightforward given the specific code path and commit fix available.

Technical ContextAI

libcoap is a C implementation of the Constrained Application Protocol (CoAP, RFC 7252) used in IoT and resource-constrained devices. OSCORE (Object Security for Constrained RESTful Environments, RFC 8613) provides end-to-end encryption for CoAP messages using CBOR (Concise Binary Object Representation) encoding. The vulnerability resides in src/oscore/oscore_cbor.c's get_byte_inc() function, which performs buffer access during OSCORE Appendix B.2 CBOR unwrapping. The root cause (CWE-125: out-of-bounds read) occurs because bounds validation relies exclusively on assert() statements that are compiled out when NDEBUG is defined in production builds. This allows attackers to supply CBOR-encoded payloads that cause reads beyond allocated buffer boundaries. The secondary impact involves integer wraparound during subsequent allocation size calculations based on attacker-controlled length fields, potentially converting the read primitive into heap buffer overflow writes. Affected product: cpe:2.3:a:libcoap:libcoap:*:*:*:*:*:*:*:* versions below v4.3.5b.

RemediationAI

Upgrade libcoap to version v4.3.5b or later, which introduces proper bounds checking independent of assert() macros. The fix is available in upstream commit b7847c4dbb0dbee7c90b09a673d4cae256f03718 at https://github.com/obgm/libcoap/commit/b7847c4dbb0dbee7c90b09a673d4cae256f03718. Organizations maintaining custom libcoap builds should apply this commit and recompile with OSCORE support. If immediate patching is not feasible, implement network-level mitigations: restrict CoAP endpoint access to trusted networks only via firewall rules blocking UDP port 5684 (CoAPS) and 5683 (CoAP) from untrusted sources, or disable OSCORE support at compile time if the encryption feature is not required (trade-off: loss of end-to-end CoAP security). Application-level workaround: implement input validation to reject OSCORE options exceeding expected size thresholds before they reach libcoap parsing routines, though this requires deep protocol knowledge and may not catch all malformed inputs triggering the integer wraparound path. Note that disabling OSCORE eliminates this specific attack surface but removes message-level confidentiality and integrity protections.

CVE-2024-0962 HIGH POC
7.8 Jan 27

A vulnerability was found in obgm libcoap 4.3.4. Rated high severity (CVSS 7.8), this vulnerability is low attack comple

CVE-2024-31031 HIGH POC
7.5 Apr 17

An issue in `coap_pdu.c` in libcoap 4.3.4 allows attackers to cause undefined behavior via a sequence of messages leadin

CVE-2023-30362 HIGH POC
7.5 Jun 23

Buffer Overflow vulnerability in coap_send function in libcoap library 4.3.1-103-g52cfd56 fixed in 4.3.1-120-ge242200 al

CVE-2023-35862 MEDIUM POC
6.5 Jun 19

libcoap 4.3.1 contains a buffer over-read via the function coap_parse_oscore_conf_mem at coap_oscore.c. Rated medium sev

CVE-2025-34468 HIGH
8.2 Dec 31

Availability loss and potential remote code execution in libcoap (versions up to and including 4.3.5, before commit 30db

CVE-2025-59391 MEDIUM
6.5 Dec 08

A memory disclosure vulnerability exists in libcoap's OSCORE configuration parser in libcoap before release-4.3.5-patche

CVE-2025-65501 MEDIUM
4.3 Nov 24

Null pointer dereference in coap_dtls_info_callback() in OISM libcoap 4.3.5 allows remote attackers to cause a denial of

CVE-2025-65500 MEDIUM
4.3 Nov 24

NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attack

CVE-2025-65499 MEDIUM
4.3 Nov 24

Array index error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause

CVE-2025-65498 MEDIUM
4.3 Nov 24

NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attack

CVE-2025-65497 MEDIUM
4.3 Nov 24

NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attack

CVE-2025-65496 MEDIUM
4.3 Nov 24

NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attack

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-29013 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy